PT-2025-45778 — Missing Encryption of Sensitive Data in Maven Jenkins Byteguard Build Actions Plugin

PT-2025-45778 · Maven · Jenkins Byteguard Build Actions Plugin

Published

2025-10-29

Updated

2025-10-29

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.

Fix

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-311

Related Identifiers

GHSA-VMM2-53RC-43V3

Affected Products

Jenkins Byteguard Build Actions Plugin

PT-2025-45778 · Maven · Jenkins Byteguard Build Actions Plugin

Weakness Enumeration

Related Identifiers

Affected Products

References · 5